We can get into a deadlocked state where the commit-queue is stopped
because the builders are red but the SheriffBot hasn't taken action
because the builder has failed only once. The SheriffBot should force
build idle builders that have failed exactly once to either turn the
tree green again (if the test was flaky) or trigger the "failed twice"
remedies (IRC and bug posts).

(-[WebHTMLView _updateFontPanel]): Ask the window whether it is the key window rather than doing the comparison
manually. This allows DumpRenderTree's override of isKeyWindow to force this code path to be taken during tests.

WebKitTools:

Add a JavaScript hook in DRT to call through to WebView's -setEditable:. This is required in order to reproduce
the crash.

When WebKit serializes a CSS string value that contains binary characters
('\0\1\2' for example), it did not escape these characters. As a result,
users got (invisible) control characters through scripts. This change fixes
this issue.

As a side effect, two separate codes for escaping CSS strings are merged, and
become a public function (quoteCSSString).

When WebKit serializes a CSS string value that contains binary characters
('\0\1\2' for example), it did not escape these characters. As a result,
users got (invisible) control characters through scripts. This change fixes
this issue.

As a side effect, two separate codes for escaping CSS strings are merged, and
become a public function (quoteCSSString).

Disabling this test on Leopard until further investigation can reveal the answer.
It looks like at this point, any new test added will cause this test to fail on Leopard
release bot, even if it has nothing to do with live regions.

Serialization process became more flexible. A state can either
directly write primitive values (instead of returning them like
iterator) or construct a new state for serializing complex values
that will return to the current state when done.

Deserialization process now avoids exposing the tags using a set
of factory functions for complex objects instead.

Internal buffer type changed to uint8_t to be independent of
whether char is signed or not.

Refactored error reporting mechanizm on Worker Global Objects.
Unlike other event listeners which accept single argument(Event)
onerror handler on worker global object should be a function
accepting three arguments. This error reporting was implementedas
EventListener::reportError method which had custom implementations
for v8 and JSC. This patch removes EventListener::reportError and
moves its functionality into custom bindings(V8WorkerContextErrorHandler
and JSWorkerContextErrorHandler) that implement EventListener inerface
for the onerror handler.

This patch also makes uncaught exceptions that happen in the onerror
listener be reported to the Worker's onerror handler.

Instead of just looking for two sequential red builds, look for two
sequential failures of the same test. This should reduce sheriffbot
false positive substantially.

I'm landing this change unreviewed because I've noticed SheriffBot
triggering a lot more false positives now that we've expanded the set
of core builders. I've tried to take Eric's comments on Bug 37063 into
account. I'm happy to iterate on this patch tomorrow once Eric wakes
up.

WebCore::distanceInDirection method was handling much of the logic not
strictly only related to the distance between nodes acquisition. This
method was simplified and renamed to 'WebCore::distanceDataForNode'.
The latter is now responsible for only getting the distance and alignment
data, while all assignement logic previously in distanceInDirection method
was moved place to updateFocusCandidateIfCloser.

Parent document distance and alignment acquisitions, in turn, have also
changed location: they are both got from deepFindFocusableNodeInDirection,
and passed in a recursive call to findFocusableNodeInDirection via the
candidateParent variable (optional parameter). In addition, the need for
the 'focusCandidateCopy' variable in deepFindFocusableNodeInDirection method
was removed, making the code much cleaner.

No behaviour change at this point. Mostly moving code around to the place
where it should live in.

Fixed bugs in JavaScript bindings for uniform[Matrix]* entry
points causing them to throw exceptions rather than synthesize GL
errors. Fixed the implementations to synthesize INVALID_VALUE
rather than INVALID_OPERATION to comply to the WebGL spec. Updated
uniform-location-expected.txt to incorporate the correct error.
Tested in Safari and Chromium.

Fixed bugs in JavaScript bindings for uniform[Matrix]* entry
points causing them to throw exceptions rather than synthesize GL
errors. Fixed the implementations to synthesize INVALID_VALUE
rather than INVALID_OPERATION to comply to the WebGL spec. Updated
uniform-location-expected.txt to incorporate the correct error.
Tested in Safari and Chromium.

Fixed bugs in JavaScript bindings for uniform[Matrix]* entry
points causing them to throw exceptions rather than synthesize GL
errors. Fixed the implementations to synthesize INVALID_VALUE
rather than INVALID_OPERATION to comply to the WebGL spec. Updated
uniform-location-expected.txt to incorporate the correct error.
Tested in Safari and Chromium.

The previous mechanism for testing whether an event was due to a user
gesture only checked the event type, not the source of the event. This
allowed scripts to defeat popup blocking by programatically emitting
certain types of events.

Change the user gesture detection to check for a flag that is only set
when the event in question was generated through the platform and not
through the DOM.

dom/UserGestureIndicator.cpp: Added.
(WebCore::UserGestureIndicator::UserGestureIndicator): Save the previous
value of s_processingUserGesture before setting it to true.
(WebCore::UserGestureIndicator::~UserGestureIndicator): Restore
s_processingUserGesture to its previous value.

When we update compositing layers (which can happen on scrolling, when there are fixed position elements
on the page), we can end up redundantly setting images as layer contents if we have to color-correct
the image. This is because we call CGImageCreateCopyWithColorSpace(), which hands back a new image
every time.

Avoid this by storing a reference to the original uncorrected image, which is used to then
avoid work if the image does not change.

window.openDatabase() always fails for new databases when using WebKit nightly with Safari 4.0.5. This is caused by a SecurityOrigin pointer comparison that I should have switched to be a hash comparison in r56293 [bug 34991].​https://bugs.webkit.org/show_bug.cgi?id=36671

No new tests. Requires testing on Safari on Windows.

storage/DatabaseTracker.cpp:
(WebCore::DatabaseTracker::fullPathForDatabaseNoLock): Convert a pointer comparison to use SecurityOriginHash::hash() instead, and move it to the end of the clause for speed in the easy-out case.

When we moved the "builders are red" check into the master process, we
forgot about rollouts. I thought we had a test covering this case, but
looking at the test, it was a bit too loose. I added a new test and
introduced some new logging technology into MockTool to make the test
tighter.

Configure multi-language movies: when QuickTime has sufficiently loaded
the movie, call into wkQTMovieSelectPreferredAlternates to select the
movie's alternate tracks according to the user's language preferences.

platform/graphics/mac/MediaPlayerPrivateQTKit.mm:
(WebCore::MediaPlayerPrivate::updateStates): If the movie is sufficiently loaded,
call wkQTMovieSelectPreferredAlternates to set up the alternate tracks.

RenderBlock::layoutInlineChildren is 351 lines long and very difficult
to comprehend or edit safely. This patch splits it up into a few
slightly smaller functions. Most of the code is now in the 241 line
layoutRunsAndFloats() which is a slight improvement.

Perf neutral on the page cyclers. This doesn't introduce any function
calls into the hottest layout paths inside layoutRunsAndFloats and
findNextLineBreak.

When a page specifies the generic "monospace" font and the user's
browser-configured monospace font doesn't exist, we previously relied
on getLastResortFallbackFont to eventually pick a monospace font for us.

But that doesn't quite work: WebKit first falls back to the user's
"preferred standard font" before hitting the last resort code path.
So if the above conditions hold but this font exists, we'll end up
never hitting the last resort codepath.

The fix is to allow OS-level font fallback when first attempting to
resolve monospace. The existing code tried to do this, but the logic
was wrong. We would eventually fall back to the correct font anyway
so we didn't notice the logic was wrong.

This code is all handling cases where particular fonts aren't installed,
so I can't think of a way to test it; existing tests should still pass.

CanvasRenderingContext::canvas() being an HTMLElement(), so that this usage
can be dealt with in one place.
(WebCore::CanvasSurface::securityOrigin): Only used by methods that are
only run in the document context.
(WebCore::CanvasSurface::renderBox): Will likely return 0 in a worker context.
(WebCore::CanvasSurface::computedStyle): Used by setFont. Return value is TBD for
the worker context.
(WebCore::CanvasSurface::styleSelector): Ditto.

dom/CanvasSurface.h:

html/HTMLCanvasElement.cpp:

(WebCore::HTMLCanvasElement::getContext): Passing in information into
the CanvasRenderingContext2D constructor to eliminate some uses of document
inside of the CanvasRenderingContext2D class.

html/HTMLCanvasElement.h:

(WebCore::HTMLCanvasElement::renderBox): Added to disambiguate between the
two parent class versions of the method.
(WebCore::HTMLCanvasElement::computedStyle): Ditto.

html/canvas/CanvasRenderingContext2D.cpp: All of these changes are about

removing document usage either by using a bool that is set in the constructor or
by calling one of the new methods added to CanvasSurface.
(WebCore::CanvasRenderingContext2D::CanvasRenderingContext2D):
(WebCore::CanvasRenderingContext2D::clearPathForDashboardBackwardCompatibilityMode):
(WebCore::CanvasRenderingContext2D::checkOrigin):
(WebCore::CanvasRenderingContext2D::prepareGradientForDashboard):
(WebCore::CanvasRenderingContext2D::createPattern):
(WebCore::CanvasRenderingContext2D::setFont):
(WebCore::CanvasRenderingContext2D::drawTextInternal):

fast/canvas/webgl/index-validation-expected.txt: Gathering more information about the cause of the failure. It's not a fix, and it won't worse change the current test behavior either, i.e., it won't make it better or worse.

To fix this issue, we don't save values if it is not changed from
the default value.

Updating the value IDL attribute of some controls such as
type=hidden also updates the value content attribute, and it's
impossible to distinguish the initial value and the current
value. The values of such controls are not saved. It won't be a
problem because we want to save and restore user-edited values.

Test: fast/forms/state-restore-to-non-edited-controls.html

html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::saveFormControlState):
Do not save the value if it is same as the default value.

html/HTMLFormControlElement.cpp:
(WebCore::HTMLFormControlElementWithState::autoComplete):
Added. It return autocomplete state of the form.
(WebCore::HTMLFormControlElementWithState::shouldSaveAndRestoreFormControlState):
Added. It returns the result of autoComplete().
(WebCore::HTMLFormControlElementWithState::finishParsingChildren):
Do not restore state if shouldSaveAndRestoreFormControlState() is false.

bindings/v8/V8DOMWrapper.cpp:
(WebCore::V8DOMWrapper::setHiddenReference): Split common logic out of hidden setHiddenWindowReference
(WebCore::V8DOMWrapper::setHiddenWindowReference): Now contains logic specific to putting a
hidden reference on a global object.
(WebCore::globalObjectPrototypeIsDOMWindow): Be more thorough in the COMPILE_ASSERTs.
(WebCore::V8DOMWrapper::convertEventTargetToV8Object): Cleanup: Remove a duplicate if statement.

The contract between apply_reverse_diff and PrepareChangeLogForRevert
was unclear. I broke filling out the ChangeLog during rollout earlier
when I changed apply_reverse_diff to revert the ChangeLogs because
PrepareChangeLogForRevert thought that it was supposed to do that.
I've now taught PrepareChangeLogsForRevert the new contract.

It's unclear to me how to test this change because it's essentially an
integration issue that requires the file system. At some point we
should think about a testing strategy for integration. As the system
becomes larger, we're running into more of these issues.

The purpose of this patch is also to provide a mini-tutorial on
how to unit-test Python logging.py messages.

Scripts/webkitpy/common/net/networktransaction_unittest.py:

Unit-tested the log messages in test_retry().

Scripts/webkitpy/common/system/logtesting.py:

Adjusted the LogTesting class by moving the code that clears
the array of log messages into a finally block. This prevents
redundant AssertionErrors from getting rendered to the screen
while running unit tests.

Added a LoggingTestCase class so the setUp() and tearDown()
methods do not need to be implemented in order to test logging.
Rather, TestCase classes can simply inherit from this class.

r56943 introduced a check to see if there were any unprocessed
SQL commands after calling sqlite3_prepare16_v2.

Accessing the remaining data via pointer wasn't possible since
the query string is deallocated immediately after the
query runs. The String returned from strippedWhiteSpace
goes out of scope at that point.

Fix is to store the strippedWhiteSpace in a temporary String
so we can access it via character ptr later in the function.

This rewrite puts the disabling not in the PythonProcessor but
in the calling code's default filter rule configuration. This
allows the user to check line-length style from the command-line
if desired.

Scripts/webkitpy/style/checker.py:

Added "-pep8/E501" to the _BASE_FILTER_RULES configuration
variable to disable the line-length check.

Added "-pep8/E501" to the list of recognized style categories
to permit the category to be checked from the command line.

This is a follow up to commit r56906. The fourth filter example,
feMorphology, shouldn't be displayed. filterRes causes a scaling of the filter
parameters, so that one value of 'radius' is lower than one.
The spec want us to round filter values down and a value of zero
for 'radius' stops the rendering process of feMorphology.

This patch does a few things to make the error handling in rollout a
bit more robust.

Scripts/webkitpy/common/checkout/api.py:

The old logic here was wrong. We don't want to resolve the
ChangeLogs (that would remove the old ChangeLog entry). Instead,
we want to revert the ChangeLogs so we can fill them with the new
message.

Scripts/webkitpy/tool/commands/download_unittest.py:

Update test expectations because we're using a different mock object.

Scripts/webkitpy/tool/commands/download.py:

Added an update command to make updating from the SheriffBot more
robust.

Now that we have CommitInfo, we can automatically CC the
responsible parties on the bug we create.

Re-ordered the steps in create-rollout. Our original thinking
was that we always wanted to create the bug, but that's not
really true given how things appear to be playing out. If we
fail to apply the reverse diff, we don't want to create the bug.

WebViewHost class
It's an implementation of some delegates required by Chromium
WebKit API, and manages painting of a WebView. It's base on
src/webkit/tools/test_shell/test_webview_delegate.{cc,h} of
Chromium rev.40492.

TestShell class
The TestShell instance holds global states of DumpRenderTree process.
Unlike TestShell class of Chromium test_shell, TestShell instance is
created just once.

Fix bug: CSS3 :not selector with ID simple selector sequence test fails
As per ​http://www.w3.org/TR/css3-selectors/#negation, :not(X) takes a simple selector as an argument.
WebKit was accepting a simple selector *sequence*.
This patch adds WebCore::CSSSelector::isSimple which judges if the selector is simple.
The method is used in CSSGrammar.y to decide whether to accept the selector as the argument of :not().​https://bugs.webkit.org/show_bug.cgi?id=36276

[chromium] FindInPage on multi-frame pages wasn't always updating
tickmarks on scrollbars for the subframes. It was calling invalidateRect
on the View and specifying a rect that's in window coordinates, whereas
the invalidateRect expects frame coordinates.

xml/XSLStyleSheetLibxslt.cpp:
(WebCore::XSLStyleSheet::parseString):
Handle an empty string gracefully. An empty string has a NULL
buffer, which we pass in to xmlCreateMemoryParserCtxt(). It returns
NULL if it is passed a NULL buffer.
In the top-level XSL case, the current code does not crash "by luck"
because the other APIs used can handle a NULL argument. In the
@import case, additional code runs which will deference the NULL.

If a file's modification time is modified, but the contents are not,
then diff-index will think the file has been modified unless you do
some crazy update-index call. Instead, call diff --name-only, which
has the index update builtin.

Tried to write a test, but could not reproduce this in a unittest.
To test manually:

Fix assertions added in r56017. That changed replaced calls to needsToBeComposited()
with use of the local 'willBeComposited' variable, but that fails to take into
account the fact that needsToBeComposited() also tests layer->isSelfPaintingLayer().

Fix by adding a canBeComposited() method that we call before testing
whether the layer should go into compositing mode.

Test: compositing/self-painting-layers2.html

rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::calculateCompositedBounds): Repace use of isSelfPaintingLayer()
with a call to canBeComposited().
(WebCore::RenderLayerCompositor::computeCompositingRequirements): Call canBeComposited() to ensure
that we only toggle 'willBeComposited' for layers that can.
(WebCore::RenderLayerCompositor::needsToBeComposited): Call canBeComposited().
(WebCore::RenderLayerCompositor::canBeComposited): Test if compositing is enabled, and whether
the layer is self-painting.

RenderLayer::updateLayerPositions() makes a recursive walk through all RenderLayers and updates the repaint rectangles on each.
These rectangles have to be calculated in the repaint container's coordinates using RenderObject::mapLocalToContainer to walk
up to the repaint container. This patch keeps track of the offset to the root and uses that offset instead of walking back up to
the root every time.

Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::LocalObjectMap::get): The HashTable assertions aren't
there to catch potential future attempts to store empty/deleted values before these happen -
it's actually wrong to try to look up these values. Added an early return.
(WebKit::NetscapePluginInstanceProxy::LocalObjectMap::forget): Ditto.

Dan asked me to investigate why 19006 is no longer needed. I have two answers:

(1) I was also able to remove the synchronous call to updateFromElement().
That call was the proximate cause of the crash that 19006 fixed.

(2) updateFromElement() no longer calls HTMLElement::setInnerText()
in the way that it used to. (However, it doesn't seem prudent to
rely on this happy coincidence.)

html/HTMLInputElement.cpp:

(WebCore::HTMLInputElement::setValue): Simplified some logic here. Moved
setNeedsValidityCheck() outside of individual 'if' clauses, since they all
called it.

Removed call to updateStyleIfNeeded(), which does rendering synchronously,
since that was the performance problem. (setNeedsStyleRecalc() ensures
that rendering will happen asynchronously.) Also removed comment about
ordering dangers introduced by updateStyleIfNeeded().

Removed call to updateFromElement(), since it's dangerous and also a minor
performance problem. (setNeedsStyleRecalc() ensures that updateFromElement()
will happen asynchronously, too.)

html/HTMLTextAreaElement.cpp:

(WebCore::HTMLTextAreaElement::setNonDirtyValue): Ditto. Here, I had to
add a call to setNeedsStyleRecalc(), since there wasn't one before.

Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::LocalObjectMap::get): Use find() instead of get(),
because the latter fails with an assertion when looking up 0 or -1.
(WebKit::NetscapePluginInstanceProxy::LocalObjectMap::forget): Be prepared for unexpected
object IDs coming from plug-in host.

Web Inspector: Sometimes js code can detach page from it's frame and in that case
Dispatch Events will stay in the TimelineAgent's events stack. Only immediate events will
appear at frontend.​https://bugs.webkit.org/show_bug.cgi?id=36890

RenderText's implementation of clippedOverflowRectForRepaint() uses containingBlock()
to get the renderer to use for computing the repaint rect. However, the renderer returned
by containingBlock() may be an ancestor of the repaintContainer, and containingBlock()
doesn't have the 'repaintContainerSkipped' logic that container() has.

So in this case, check to see whether repaintContainer is actually a descendant of the
containing block, and in that case just repaint the entire repaintContainer.

[chromium] FindInPage should clear the focused node when a match has
been found. This is because WebFrameImpl::setFocus will try to refocus
editable elements if it thinks they have focus, causing the page to
scroll.

Rewrite getCTM() / getScreenCTM() handling in an iterative way, fixing all known problems/limitations.
The bug mentioned above is actually not a regression, getScreenCTM() only worked before, because we
did not handle non-SVG CSS box parents properly. When support was added to handle those cases, the
getScreenCTM() handling was completly off, causing a lot of trouble in real-life SVG applications (carto.net for instance)

Share code between the different svgsvgelement-ctm*.xhtm tests, placed in svg/custom/resources.
Add several new tests covering getCTM()/getScreenCTM() on text, inner and outer svg elements and containers.